Superuser Privilege Management

Implement a least-privilege security model for Linux and UNIX systems with flexible, role-based controls that protect privileged operations while still granting users the privileges they need to perform their job

The Challenge

A superuser account is any administrative account that grants full access to an operating system or application such as a database. On Linux and UNIX platforms, system accounts such as root or service accounts such as oracle are needed for installation, configuration, administration and management tasks. But as Gartner (Research Report ID# G00130427) has noted, Linux and UNIX systems inherently lack a scalable and simple model for administrative delegation. In many organizations Linux and UNIX personnel - such as system administrators, DBAs, backup operators and help desk staff - are routinely given increased privileges to accomplish even narrowly focused administrative tasks such as performing backups or managing a web site.

Organizations are becoming increasing aware of the risk that such broad administrative grants pose for potential theft of corporate IP, insider attacks, or even inadvertent changes that adversely affect systems or data. But alternatives such as sudo are frequently so complex to manage that some organizations simply live with the exposure because they have no practical way to limit privileges without hindering users in performing necessary administrative tasks.

The Centrify Solution

The Centrify Suite provides a single, unified privilege management solution across more than 225 Linux and UNIX platforms. Instead of relying on complex scripting, proprietary databases, or expensive server architectures, Centrify joins your Linux and UNIX systems to your existing Active Directory infrastructure. You can then model Linux and UNIX user roles within Active Directory and apply those roles to the existing Active Directory identities. With the Centrify Suite you can:

• Associate all rights with centrally managed Active Directory accounts and groups, ensuring unambiguous accountability and simplifying rights management
• Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords
• Assign users a Restricted Environment with access only to a specific "whitelist" of commands
• Simplify the execution of privileged commands for users
• Lock down sensitive systems with fine-grained access controls that specify who can access a system and how
• Set time windows when a role can access a system, and set time periods when a role assignment is active, including temporary assignments scoped to individual computers

Learn More

Next Steps

3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO

While all the above features make DirectControl for Mac a tempting solution, the fact that it includes a range of group policies that can be used to secure and manage the Mac OS X environment is what makes it an excellent solution. DirectControl for Mac uses group policies that integrate with the client-side components of Apple's managed preference environment. ... Having had the opportunity to work with both the existing set of group policies and to see a preview version of the upcoming expanded set, I was amazed at Centrify's success. The experience of managing Macs was exactly the same as managing Windows computers using group policies. Any experienced Active Directory administrators, even those who have no Mac support experience, will feel completely at home. Any experienced Mac administrator will also notice that Centrify has managed to mirror the preference management component of Mac OS X Server's Workgroup Manager.

Ryan Faas
ComputerWorld
March 29, 2007